# JavaScript Web App Reverse Engineering - Module Identification Some notes on JavaScript Web App Reverse Engineering, specifically focussing on module / dependency identification. ## Table of Contents - [Modules](#modules) - [Past Work](#past-work) - [`autoprefixer` / `autoprefixer-deno`](#autoprefixer--autoprefixer-deno) - [`browserslist/caniuse-lite` / `Fyrd/caniuse`](#browserslistcaniuse-lite--fyrdcaniuse) - [`crypto-js`](#crypto-js) - [`cssnano` / `stylehacks`](#cssnano--stylehacks) - [`html-dom-parser`](#html-dom-parser) - [`postcss` / `postcss-deno`](#postcss--postcss-deno) - [`prosemirror-state`](#prosemirror-state) - [`react-resizable`](#react-resizable) - [`tailwindcss-typography`](#tailwindcss-typography) - [See Also](#see-also) - [My Other Related Deepdive Gist's and Projects](#my-other-related-deepdive-gists-and-projects) ## Modules ### Past Work For the more general case of 'module detection' (and related concepts), see these issues: - https://github.com/pionxzh/wakaru/issues/41 - > Module detection - https://github.com/pionxzh/wakaru/issues/73 - > add a 'module graph' - https://github.com/pionxzh/wakaru/issues/74 - > explore 'AST fingerprinting' for module/function identification (eg. to assist smart / stable renames, etc) And other similar deep dives / reverse engineering / module identification attempts: - https://github.com/pionxzh/wakaru/issues?q=%22%5Bmodule-detection%5D%22 - https://github.com/pionxzh/wakaru/issues/40 - > `[module-detection / smart-rename]` `styled-components` / `Tailwind-Styled-Component` libs - [Reverse Engineered Webpack Tailwind-Styled-Component (0xdevalias' gist)](https://gist.github.com/0xdevalias/916e4ababd3cb5e3470b07a024cf3125#reverse-engineered-webpack-tailwind-styled-component) - https://github.com/pionxzh/wakaru/issues/50 - > Support detect and replace `swc`'s `runtime-helpers` - https://github.com/pionxzh/wakaru/issues/55 - > Support detect and replace `microsoft/tslib`'s `runtime-helpers` - https://github.com/pionxzh/wakaru/issues/79 - > `[module-detection]` `zustand` - React state management - https://github.com/pionxzh/wakaru/issues/80 - > `[module-detection]` `js-xss` - https://github.com/pionxzh/wakaru/issues/86 - > `[module-detection]` `statsig-io/js-client` - https://github.com/pionxzh/wakaru/issues/87 - > `[module-detection]` `DataDog/browser-sdk` - https://github.com/pionxzh/wakaru/issues/88 - > `[module-detection]` `TanStack/query` - https://github.com/pionxzh/wakaru/issues/89 - > `[module-detection]` `radix-ui/primitives` - ?etc? - https://github.com/j4k0xb/webcrack/issues?q=%22%5Bplugin%5D%22 - https://github.com/j4k0xb/webcrack/issues/143 - > `[plugin]` Add support for `data-sentry-component` / `data-sentry-element` / `data-sentry-source-file` (from `@sentry/babel-plugin-component-annotate`) - https://github.com/j4k0xb/webcrack/issues/151 - > `[plugin]` plugin to support WordPress Gutenberg specific blocks features (including how it injects `window.React`, `window.wp.element`, etc) within JSX decompilation - https://github.com/j4k0xb/webcrack/issues/152 - > `[plugin]` plugin to support unminifying `goober` CSS-in-JS library patterns + related JSX decompilation - ?etc? ### `autoprefixer` / `autoprefixer-deno` - https://github.com/postcss/autoprefixer - > Autoprefixer > PostCSS plugin to parse CSS and add vendor prefixes to CSS rules using values from Can I Use. - https://github.com/lumeland/autoprefixer-deno - > Autoprefixer for Deno > Scripts to transform the source code of autoprefixer for Deno compatibility. I had a file that contained content like this: ```js // ..snip.. class r extends o { check(e) { return !e.value.split(/\s+/).some(e => { let t = e.toLowerCase(); return t === "reverse" || t === "alternate-reverse"; }); } } r.names = ["animation", "animation-direction"]; module.exports = r; ``` Which I searched for on GitHub Code Search: - https://github.com/search?type=code&q=%22names+%3D+%5B%27animation%27%2C+%27animation-direction%27%5D%22 Which seemed to point me towards `autoprefixer` / `autoprefixer-deno`'s `lib/hacks/animation.js`: - https://github.com/postcss/autoprefixer/blob/541295c0e6dd348db2d3f52772b59cd403c59d29/lib/hacks/animation.js#L15 - https://github.com/lumeland/autoprefixer-deno/blob/f44e39599235d48715e1608aa689107f46cb2525/deno/lib/hacks/animation.js#L15 ### `browserslist/caniuse-lite` / `Fyrd/caniuse` - https://github.com/browserslist/caniuse-lite - > A smaller version of `caniuse-db`, with only the essentials! - https://github.com/Fyrd/caniuse - > Raw browser/feature support data from caniuse.com I found the following confusing looking code in a bundle I was exploring (prettified here): ```js module.exports = { A: { A: { 1: "A B", 2: "J E F G PC" }, B: { 1: "0 1 2 3 4 C K L H M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m r s t u v w x y z D" }, C: { 1: "6 7 8 9 H M N O n o p AB BB CB DB EB FB GB HB IB JB KB LB MB NB OB PB QB RB SB TB UB VB WB XB YB ZB aB bB cB", 2: "5 QC 3B I J E F G A B C K L RC SC", 129: "dB eB fB", 769: "gB 4B", 1281: "0 1 2 3 4 hB 5B iB jB kB lB mB nB oB pB qB rB sB q tB uB vB wB xB P Q R 6B S T U V W X Y Z a b c d e f g h i j k l m r s t u v w x y z D 7B 8B 9B" }, D: { 1: "0 1 2 3 4 8 9 AB BB CB DB EB FB GB HB IB JB KB LB MB NB OB PB QB RB SB TB UB VB WB XB YB ZB aB bB cB dB eB fB gB 4B hB 5B iB jB kB lB mB nB oB pB qB rB sB q tB uB vB wB xB P Q R S T U V W X Y Z a b c d e f g h i j k l m r s t u v w x y z D 7B 8B 9B", 2: "5 6 I J E F G A B C K L H M N O", 33: "7 n o p" }, E: { 1: "F G A B C K L H XC BC yB zB CC YC ZC DC EC 0B aC 1B FC GC HC IC JC KC 2B LC MC bC", 2: "5 I J E TC AC UC VC WC" }, F: { 1: "6 7 8 9 H M N O n o p AB BB CB DB EB FB GB HB IB JB KB LB MB NB OB PB QB RB SB TB UB VB WB XB YB ZB aB bB cB dB eB fB gB hB iB jB kB lB mB nB oB pB qB rB sB q tB uB vB wB xB P Q R 6B S T U V W X Y Z a b c d e f g h i j k l m", 2: "G B C cC dC eC fC yB NC gC zB" }, G: { 1: "F mC nC oC pC qC rC sC tC uC vC wC xC yC zC 0C DC EC 0B 1C 1B FC GC HC IC JC KC 2B LC MC", 2: "AC hC OC iC jC kC lC" }, H: { 2: "2C" }, I: { 1: "D 7C 8C", 2: "3B I 3C 4C 5C 6C OC" }, J: { 1: "A", 2: "E" }, K: { 1: "q", 2: "A B C yB NC zB" }, L: { 1: "D" }, M: { 1: "D" }, N: { 1: "A B" }, O: { 1: "0B" }, P: { 1: "I n o p 9C AD BD CD DD BC ED FD GD HD ID 1B 2B JD KD" }, Q: { 1: "CC" }, R: { 1: "LD" }, S: { 1: "MD ND" } }, B: 2, C: "High Resolution Time API", D: true }; ``` Searching GitHub for the only identifiable string didn't turn up much, except that it seemed like it might relate to a web feature, and some references linked to caniuse.com: - https://github.com/search?type=code&q=%22High+Resolution+Time+API%22 - https://caniuse.com/high-resolution-time Trying to search for parts of the other 'minified' strings on GitHub mostly seemed to turn up pnpm cache entries and similar, but didn't help to identify what the original source was. Looking at the repo containing the data for caniuse.com, and searching for the identifiable string seemed to confirm that it looks related in data shape, but wasn't quite the right match, as it still didn't explain the weird 'minified' looking strings: - https://github.com/search?q=repo%3AFyrd%2Fcaniuse+%22High+Resolution+Time+API%22&type=code - https://github.com/Fyrd/caniuse/blob/4ef5449979e70a3188a721c299247d436aaab71f/features-json/high-resolution-time.json#L2 Exploring a bit further with ChatGPT pointed me towards `browserslist/caniuse-lite`, and while searching for the main identifiable string didn't turn up anything directly, manually looking at the data did find what seemed to be a close match for the code we found in the bundle: - https://github.com/search?q=repo%3Abrowserslist%2Fcaniuse-lite%20%22High%20Resolution%20Time%20API%22&type=code - https://github.com/browserslist/caniuse-lite/blob/main/data/features/high-resolution-time.js While this is one example, there are many other examples based on all of the other feature data: - https://github.com/browserslist/caniuse-lite/tree/main/data/features ### `crypto-js` - https://github.com/brix/crypto-js - > JavaScript library of crypto standards. I had a file that contained content like this: ```js // ..snip.. i = (r = (o = d).lib).Base; a = r.WordArray; s = (l = o.algo).SHA256; c = l.HMAC; u = l.PBKDF2 = i.extend({ cfg: i.extend({ keySize: 4, hasher: s, iterations: 250000 }), // ..snip.. o.PBKDF2 = function (e, t, n) { return u.create(n).compute(e, t); }; module.exports = d.PBKDF2; ``` Which I searched for on GitHub Code Search: - https://github.com/search?type=code&q=Base+WordArray+algo+SHA256+HMAC+PBKDF2+%22this.cfg%22+%22iterations%3A+250000%22 Which seemed to point me towards `crypto-js`'s `src/pbkdf2.js`: - https://github.com/brix/crypto-js/blob/ac34a5a584337b33a2e567f50d96819a96ac44bf/src/pbkdf2.js#L4-L26 ### `cssnano` / `stylehacks` - https://github.com/cssnano/cssnano - > A modular minifier, built on top of the PostCSS ecosystem. - https://github.com/cssnano/cssnano/tree/master/packages/stylehacks - > stylehacks > Detect/remove browser hacks from CSS files. I had a file that just contained this content: ```js module.exports = { MEDIA_QUERY: "media query", PROPERTY: "property", SELECTOR: "selector", VALUE: "value" }; ``` Which I searched for on GitHub Code Search: - https://github.com/search?type=code&q=%22MEDIA_QUERY%3A+%5C%22media+query%5C%22%22 Which seemed to point me towards `stylehacks`, which seems to be a part of `cssnano` - https://github.com/cssnano/cssnano/blob/2e5a24ff7d33f877542e3d0d09f0988a760f5e77/packages/stylehacks/types/dictionary/identifiers.d.ts ### `html-dom-parser` - https://github.com/remarkablemark/html-dom-parser - > HTML to DOM parser that works on both the server (Node.js) and the client (browser) - > The parser converts an HTML string to a JavaScript object that describes the DOM tree. I had a file that contained content like this: ```js // ..snip.. function a(e) { return function (e) { return r.CASE_SENSITIVE_TAG_NAMES_MAP[e]; }(e = e.toLowerCase()) || e; } exports.formatAttributes = i; exports.formatDOM = function e(t, n = null, r) { // ..snip.. (l = new o.ProcessingInstruction(r.substring(0, r.indexOf(" ")).toLowerCase(), r)).next = s // ..snip.. ``` Which I searched for on GitHub Code Search: - https://github.com/search?type=code&q=CASE_SENSITIVE_TAG_NAMES_MAP+formatAttributes+formatDOM+ProcessingInstruction Which seemed to point me towards `html-dom-parser`'s `utilities.ts` file: - https://github.com/remarkablemark/html-dom-parser/blob/b0afd7261a95ada2332b1e107aba2256a80cfa7c/src/client/utilities.ts#L18-L20 ### `postcss` / `postcss-deno` - https://github.com/postcss/postcss - > PostCSS is a tool for transforming styles with JS plugins. These plugins can lint your CSS, support variables and mixins, transpile future CSS syntax, inline images, and more. - https://github.com/postcss/postcss-deno - > PostCSS for Deno > Scripts to transform the source code of PostCSS for Deno compatibility. I had a file that started with this content: ```js const t = { after: "\n", beforeClose: "\n", beforeComment: "\n", beforeDecl: "\n", beforeOpen: " ", beforeRule: "\n", colon: ": ", commentLeft: " ", commentRight: " ", emptyBody: "", indent: " ", semicolon: false }; // ..snip.. ``` Which I searched for on GitHub Code Search: - https://github.com/search?type=code&q=after%3A+%22%5Cn%22%2C+++beforeClose%3A+%22%5Cn%22%2C+++beforeComment%3A+%22%5Cn%22%2C+++beforeDecl%3A+%22%5Cn%22%2C Which after a little looking through things, lead me to the `postcss` / `postcss-deno` `stringifier.js` file: - https://github.com/postcss/postcss/blob/7ac43db0c30c08dc799a55e5f2f1f269a61b6856/lib/stringifier.js#L3-L16 - https://github.com/postcss/postcss-deno/blob/01dfbb279fa8811ee649ecfdfa210112aaab8d7a/deno/lib/stringifier.js#L3-L16 If I kept looking through the minified code I also would have seen this part later on, which sort of helped confirm that it relates to PostCSS: ```js // ..snip.. stringify(e, t) { if (!this[e.type]) { throw new Error("Unknown AST node type " + e.type + ". Maybe you need to change PostCSS stringifier."); } this[e.type](e, t); } // ..snip.. ``` ### `prosemirror-state` - https://github.com/ProseMirror/prosemirror-state - > ProseMirror editor state - > This is a [core module](https://prosemirror.net/docs/ref/#state) of [ProseMirror](https://prosemirror.net/). ProseMirror is a well-behaved rich semantic content editor based on `contentEditable`, with support for collaborative editing and custom document schemas. - > This [module](https://prosemirror.net/docs/ref/#state) implements the editor state, which tracks the current document and selection, and managed plugins. I had a file that contained content like this: ```js // ..snip.. static near(e, t = 1) { return this.findFrom(e, t) || this.findFrom(e, -t) || new m(e.node(0)); } static atStart(e) { return f(e, e, 0, 0, 1) || new m(e); } static atEnd(e) { return f(e, e, e.content.size, e.childCount, -1) || new m(e); } static fromJSON(e, t) { if (!t || !t.type) { throw new RangeError("Invalid input for Selection.fromJSON"); } let n = i[t.type]; if (!n) { throw new RangeError(`No selection type ${t.type} defined`); } return n.fromJSON(e, t); } // ..snip.. ``` Which I searched for on GitHub Code Search: - https://github.com/search?type=code&q=near+atStart+atEnd+fromJSON Which seemed to point me towards `prosemirror-state`'s `src/selection.ts`: - https://github.com/ProseMirror/prosemirror-state/blob/400e561e65cac59968666b57087e3abae3185061/src/selection.ts#L132-L160 ### `react-resizable` - https://github.com/react-grid-layout/react-resizable - > A simple React component that is resizable with a handle. I had a file that contained content like this: ```js module.exports = function () { throw new Error("Don't instantiate Resizable directly! Use require('react-resizable').Resizable"); }; // ..snip.. ``` Which I searched for on GitHub Code Search: - https://github.com/search?type=code&q=%22Don%27t+instantiate+Resizable+directly%21+Use+require%28%27react-resizable%27%29.Resizable%22 Which seemed to point me towards `react-resizable`'s `index.js`: - https://github.com/react-grid-layout/react-resizable/blob/070d0ad8a3c1a98775b57c59fe1337f6f03947cf/index.js#L2-L4 ### `tailwindcss-typography` - https://github.com/tailwindlabs/tailwindcss-typography - > tailwindcss-typography > Beautiful typographic defaults for HTML you don't control. - > The official Tailwind CSS Typography plugin provides a set of `prose` classes you can use to add beautiful typographic defaults to any vanilla HTML you don’t control, like HTML rendered from Markdown, or pulled from a CMS. I had a file that contained content like this: ```js // ..snip.. const r = e => e.toFixed(7).replace(/(\.[0-9]+?)0+$/, "$1").replace(/\.0$/, ""); // ..snip.. ``` Which I searched for on GitHub Code Search: - https://github.com/search?type=code&q=%22.toFixed%287%29.replace%28%2F%28%5C.%5B0-9%5D%2B%3F%290%2B%24%2F%2C+%5C%22%241%5C%22%29.replace%28%2F%5C.0%24%2F%2C+%5C%22%5C%22%29%22 Which seemed to point me towards `tailwindcss-typography`'s `src/styles.js`: - https://github.com/tailwindlabs/tailwindcss-typography/blob/632970e3ce6fc10d1bfd8fb46cc9083d0d32986d/src/styles.js#L3-L7 ## See Also ### My Other Related Deepdive Gist's and Projects - https://github.com/0xdevalias - https://gist.github.com/0xdevalias - https://github.com/0xdevalias/chatgpt-source-watch : Analyzing the evolution of ChatGPT's codebase through time with curated archives and scripts. - [Reverse engineering ChatGPT's frontend web app + deep dive explorations of the code (0xdevalias' gist)](https://gist.github.com/0xdevalias/4ac297ee3f794c17d0997b4673a2f160#reverse-engineering-chatgpts-frontend-web-app--deep-dive-explorations-of-the-code) - [Deobfuscating / Unminifying Obfuscated Web App Code (0xdevalias' gist)](https://gist.github.com/0xdevalias/d8b743efb82c0e9406fc69da0d6c6581#deobfuscating--unminifying-obfuscated-web-app-code) - [Reverse Engineering Webpack Apps (0xdevalias' gist)](https://gist.github.com/0xdevalias/8c621c5d09d780b1d321bfdb86d67cdd#reverse-engineering-webpack-apps) - [React Internals (subsection)](https://gist.github.com/0xdevalias/8c621c5d09d780b1d321bfdb86d67cdd#react-internals) - [Vue Internals (subsection)](https://gist.github.com/0xdevalias/8c621c5d09d780b1d321bfdb86d67cdd#vue-internals) - [Angular Internals (subsection)](https://gist.github.com/0xdevalias/8c621c5d09d780b1d321bfdb86d67cdd#angular-internals) - [Fingerprinting Minified JavaScript Libraries / AST Fingerprinting / Source Code Similarity / Etc (0xdevalias' gist)](https://gist.github.com/0xdevalias/31c6574891db3e36f15069b859065267#fingerprinting-minified-javascript-libraries--ast-fingerprinting--source-code-similarity--etc) - [JavaScript Web App Reverse Engineering - Module Identification (0xdevalias' gist)](https://gist.github.com/0xdevalias/28c18edfc17606f09cf413f97e404a60#javascript-web-app-reverse-engineering---module-identification) - [Reverse Engineered Webpack Tailwind-Styled-Component (0xdevalias' gist)](https://gist.github.com/0xdevalias/916e4ababd3cb5e3470b07a024cf3125#reverse-engineered-webpack-tailwind-styled-component) - [React Server Components, Next.js v13+, and Webpack: Notes on Streaming Wire Format (`__next_f`, etc) (0xdevalias' gist))](https://gist.github.com/0xdevalias/ac465fb2f7e6fded183c2a4273d21e61#react-server-components-nextjs-v13-and-webpack-notes-on-streaming-wire-format-__next_f-etc) - [Bypassing Cloudflare, Akamai, etc (0xdevalias' gist)](https://gist.github.com/0xdevalias/b34feb567bd50b37161293694066dd53#bypassing-cloudflare-akamai-etc) - [Debugging Electron Apps (and related memory issues) (0xdevalias' gist)](https://gist.github.com/0xdevalias/428e56a146e3c09ec129ee58584583ba#debugging-electron-apps-and-related-memory-issues) - [devalias' Beeper CSS Hacks (0xdevalias' gist)](https://gist.github.com/0xdevalias/3d2f5a861335cc1277b21a29d1285cfe#beeper-custom-theme-styles) - [Reverse Engineering Golang (0xdevalias' gist)](https://gist.github.com/0xdevalias/4e430914124c3fd2c51cb7ac2801acba#reverse-engineering-golang) - [Reverse Engineering on macOS (0xdevalias' gist)](https://gist.github.com/0xdevalias/256a8018473839695e8684e37da92c25#reverse-engineering-on-macos)